Issue BigFix and Tenable.IO Integration

Usage and Config
1

HI, we’re currently doing PoC to see the integration between BigFix and Tenable.IO I’ve followed the documentation and everything is setup and running Insights/BigFix IVR Service, setup dataflows etc. I’ve also received the access/secret key from my tenable Administrator.

When it’s running the dataflow, I can see the connection established with the Tenable.IO however when trying to get the vulnerabilities/machines etc, it’s returning following error from the logs (Debug Enabled)

Step 1: Validate the Data Adapters

2022-07-12 10:01:50.657701 5980 execute LogLevels.INFO Starting DataFlow: Endpoint data from Tenable.io To BigFix Insights
2022-07-12 10:01:50.660701 5980 validate_configuration LogLevels.INFO Validating Configuration
2022-07-12 10:01:50.662704 5980 validate_configuration LogLevels.DEBUG Source Adapter Validation: tenable
2022-07-12 10:01:50.876704 5980 get_pytenable_connection LogLevels.INFO Attempting to connect to Tenable.IO instance
2022-07-12 10:01:52.409219 5980 VerifyConnection LogLevels.INFO Connected to Tenable.io Server VERSION “6.9.1”
2022-07-12 10:01:52.414222 5980 validate_configuration LogLevels.DEBUG Source Adapter Validation Successful: tenable
2022-07-12 10:01:52.416223 5980 validate_configuration LogLevels.DEBUG Target Adapter Validation: insight
2022-07-12 10:01:52.439223 5980 execute LogLevels.DEBUG Opening Connection: DRIVER={ODBC Driver 17 for SQL Server};SERVER=azw-beswebuiqa\bes;DATABASE=BFInsights
2022-07-12 10:01:52.441219 5980 WriteToLogs LogLevels.DEBUG RootURL: DRIVER={ODBC Driver 17 for SQL Server};SERVER=azw-beswebuiqa\bes;DATABASE=BFInsights
2022-07-12 10:01:52.444218 5980 WriteToLogs LogLevels.DEBUG Query: Select 1
2022-07-12 10:01:52.447222 5980 WriteToLogs LogLevels.DEBUG VerifyCert: False
2022-07-12 10:01:52.450223 5980 WriteToLogs LogLevels.DEBUG SQL Method: SELECT
2022-07-12 10:01:52.487219 5980 execute LogLevels.DEBUG Query type: SELECT, Rows: 0, Time: 0:00:00.055000
2022-07-12 10:01:52.490219 5980 execute LogLevels.INFO Records Returned: 1
2022-07-12 10:01:52.492219 5980 validate_configuration LogLevels.DEBUG Target Adapter Validation Successful: insight
2022-07-12 10:01:52.495219 5980 validate_configuration LogLevels.INFO Configuration Validated In: 0:00:01.832521

Step 2: Try to get data from Tenable

2022-07-12 10:01:54.960234 14920 GetDataSource LogLevels.DEBUG Read Single Datasource details: TenableIO
2022-07-12 10:01:54.964234 14920 emit LogLevels.DEBUG pyTenable: {“method”: “POST”, “url”: “https://cloud.tenable.com/assets/export”, “params”: {}, “body”: {“filters”: {}, “chunk_size”: 1000}}
2022-07-12 10:01:54.971235 14920 emit LogLevels.DEBUG pyTenable: Starting new HTTPS connection (1): cloud.tenable.com:443
2022-07-12 10:01:55.180108 14920 emit LogLevels.DEBUG pyTenable: https://cloud.tenable.com:443 “POST /assets/export HTTP/1.1” 403 69
2022-07-12 10:01:55.187109 14920 emit LogLevels.DEBUG pyTenable: Request-UUID 3702543bff9be813cfca153b8c55c989 for https://cloud.tenable.com/assets/export
2022-07-12 10:01:55.194107 14920 emit LogLevels.ERROR pyTenable: POST https://cloud.tenable.com/assets/export >> 3702543bff9be813cfca153b8c55c989:403 {“statusCode”:403,“error”:“Forbidden”,“message”:“Insufficient scope”}
** 2022-07-12 10:01:55.198105 14920 load_findings_worker LogLevels.ERROR
2022-07-12 10:01:59.656366 5980 process_results LogLevels.INFO Total Tenable Findings Returned: 0

Has anyone come across similar issue ? Looks to me like permission issue with the keys but not so sure. I’ve also opened case with HCL Support on the same.

Anyone has any ideas would be appreciated.

Thx.

2

Hello!

I too believe this is most likely a permission issue with the credentials provided for Tenable.io. Can you verify that the API keys being used have the ‘Administrator’ role per https://help.hcltechsw.com/bigfix/10.0/integrations/Ecosystem/Install_Config/c_APIreq_TenableIO.html ?

3

Hi Aram, Thx for the quick response indeed that was the issue, it’s resolved now and I’m able to import the data.

Thx for your help.

1 Like
4

Hi Aram,
Would like to ask few follow-up questions regarding this product.
I’ve managed to do the import and all is looking good, also remediated end point and it’s reflecting correctly.
Thinking this through a bit more, today in our environment we provide application/server owners with vulnerabilities reported by Tenable, include the CVE’s and have them fix those. Which is cumbersome and time consuming this IVR Integration can greatly reduce the overall time but I’ve seen already some issues/differences

  • when I check my test machine it only shows 1 vulnerability through the IVR App, the same machine will show 4-5 vulnerabilities when checking via Tenable??? I’ve reported every vulnerability
    List reported through Tenable but not via IVR Application:
  • Tenable Nessus Agent < 8.3.3 / 10.x < 10.1.3 Third-Party Vulnerability (TNS-2022-07)
    (Not able to find this one)
  • Mozilla Firefox ESR < 91.11
    (This I can find also in the external site “Updates for Windows Application”)
  • KB5015807: Windows 10 Version 20H2 / Windows 10 Version 21H1 / Windows 10 Version 21H2 Security Update (July 2022) ==> This is the July patch can be ignored
  • Microsoft Internet Explorer Unsupported Version Detection (Cannot find this one)
  • Adobe Reader < 17.012.30249 / 20.005.30362 / 22.001.20169 Multiple Vulnerabilities (APSB22-32)
    (This I can find also in the external site “Updates for Windows Application”)

Question: What is the criteria for Vulnerability to be reported in the IVR App for remediation?

Operator Setup

  • I can see via Console the WebUI App “IVR”, so I can create Operator Role with only access to WebUI and IVR App, would it also be possible to restrict this to subset of machines that belong to specific BigFix Site and even more granular application specific?

IVR Application
I’ve been testing this but noticing at end of day the service stops and does not restart anymore? The service startup is set to Manual, if I start the service it will run during the day but that end of day it stops and need to be restarted manually?

I’ve also opened HCL case for this but wanted to share some info on the work done so far.

Rgds

5

When IVR synchronizes with Tenable, it analyzes the vulnerability instances and attempts to categorize them according to the following questions:

  1. Are there remediations (Fixlets) readily available in my BigFix environment to address the vulnerabilities identified by Tenable? (Note that this is based primarily on CVE mapping today)

    • We refer to this as the ‘Correlation’ category
    • When mapping to remediation Fixlets, we account for Patch supersedence, so, IVR attempts to recommend the most recent Patch for remediation

  2. Are there vulnerabilities identified by Tenable that I cannot readily fix with content available in my BigFix Environment?

    • We refer to this as the ‘Gap’ category
    • We report on these vulnerabilities not only to highlight potential gaps, but also because these can likely still be remediated using BigFix through custom content. And if you create custom content to address a given vulnerability instance and tag the Fixlet with the appropriate CVE data, it will be eligible for Correlation in subsequent analysis.

  3. How do I reconcile differences between what Tenable is reporting, and the state that BigFix is reporting for a given vulnerability instance?

    • We refer to this as the ‘Discrepancy’ category
    • In this case, IVR was able to find at least one (potentially several) Fixlets to remediate the given vulnerability (again, based on CVE), but none of the Fixlets in question are applicable on the endpoint on which the vulnerability was identified by Tenable

IVR provides BI reports to categorize the vulnerabilities according to the 3 questions above. For reference, please see https://help.hcltechsw.com/bigfix/10.0/integrations/Ecosystem/Install_Config/c_business_inetlligence_reports.html

The IVR App in WebUI specifically focuses on the Correlation category where we have Fixlets identified to remediate the discovered vulnerabilities based on CVE mapping. So, it won’t include vulnerabilities for which IVR did not match against any Fixlets for remediation.

Regarding your operator question, yes, you can certainly restrict an operator to a subset of machines (and/or Fixlet sites), and the IVR App will limit the operator’s views accordingly.

Regarding the IVR Service, you should be able to set the service to automatic, but it should not stop and require manual restarts. As you’ve already done, I’d recommend a support case to troubleshoot.

3 Likes
6

Hi Aram,
thx for the detailed explanation, do have follow-up question.
I’m currently doing some initial testing with Windows 10 workstation (21H2) that has few apps installed.
When I check IVR it does not report any vulnerabilities
Checking Tenable.IO It reports vulnerabilities for Mozilla Firefox / Adobe Reader. I’ve checked and both apps are available as fixlets in BigFix, I know you mentioned that this “correlation” is matched using CVE mapping.
Does this imply 1:1 match on CVE mapping?

Quick comparison for Firefox between Tenable.IO | BigFix
Tenable.IO
Mozilla Firefox ESR < 91.11

  • CVE-2022-34479
  • CVE-2022-34470
  • CVE-2022-34468

BigFix (Updates for Windows Applications)
Mozilla Firefox 91.11.0 ESR Available
CVE-2022-34479; CVE-2022-34470; CVE-2022-34468; CVE-2022-34481; CVE-2022-31744; CVE-2022-34472; CVE-2022-34478; CVE-2022-2200; CVE-2022-34484

We would like the IVR app to be the single source for Server Owners to be used for patching any vulnerabilities (Excluding OS Patches as they are deployed using Patch Policies), is this something that will be handled in the future

Thx again for all your help.